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Abstract 

On the Internet large service providers tend to control the digital identities 
of users. These defacto identity authorities wield significant power over users, 
compelling them to comply with non-negotiable terms, before access to services 
is granted. In doing so, users expose themselves to privacy risks, manipulation and 
q exploitation via direct marketing. Against this backdrop, the emerging areas of Dig- 

ital Ecosystems and user-centric identity emphasise decentralised environments with 
I independent self- determining entities that control their own data and identity. We 

show that recent advances in user-centric identity, federated identity and trust have 
prepared the ground for decentralised identity provisioning. We show how social 
trust, rather than blind deference to authorities, can provide a basis for identity, 
where risks can be weighed and compared rather than merely accepted. Funda- 
^ mentally, we are considering the move from authority-centric centralised identity 

O provisioning to user-centric distributed identity provisioning. Finally, we highlight 

the potential impacts of distributed identity provisioning in the Information Society 
and give a brief roadmap for its general implementation and adoption. 
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^ 1 Introduction 

o 

h This paper is concerned with digital identity 1 in decentralised environments, where iden- 

tity authorities either do not exist or play a limited role. We have two decentralised 
environments in mind: i) the web, where users access services on the Internet via a web 
browser, and ii) Digital Ecosystem platforms where users use enhanced clients to access 
web services via arbitrary service access protocols. Usually, our analysis applies equally 
to both cases; where this is otherwise, a distinction is made. 

The ethos of Digital Ecosystems 2 (DEs) favours open, distributed service platforms as 
an alternative to the 'keystone' model, in which entities cluster around systems that are 
owned and maintained by a small number of authoritative entities. DEs are composed 
of distributed, interconnected groups of equal entities, in contrast to the keystone model 
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that fosters an undesirable dependence of 'ordinary' entities on 'authoritative' entities. 
DEs are effective when they foster broad, diverse organisations of entities that are free 
to compete and collaborate based on dynamic social factors. Identity in DEs must be 
similarly distributed and decentralised, and founded on social relationships within the 
ecosystem. The virtual organisation of identities in an ecosystem can be described as 
emergent, decentralised, informal, and though based on local relationships is potentially 
global in extent. 

Traditionally, identity has been concerned almost solely with the use of a username- 
password pair to authenticate a user for access to a service. A small set of data items stored 
by the service provider (SP) determines the user's access rights and other information 
pertinent to service use. Users, typically, have one identity per service, and the SP provides 
the identity, via an internal identity provider (IdP). The IdP is responsible for retaining 
information pertaining to this identity, providing authentication and authorisation, and 
generally speaking presiding over the entire life-cycle of the identity. For each service, 
there is a prescribed IdP that users must deal with. Where services become very popular, 
and where services proliferate on the same network, or service platform (e.g. Google, 
Yahoo!), a common IdP is invariably used to manage identities for all services. These 
IdPs are identity authorities for those environments and users are compelled to accept 
their terms of service and to trust them with supplied personal information. 

Recent developments in identity, driven by technical, social and business concerns 
have begun to change this landscape significantly. User-centric identity developments 
have led to the logical and functional separation of SP and IdP, which allows the user to 
choose the IdP that provides their identity to an SP. Federated Identity is concerned with 
linking identity domains intra- and inter-organisation such that identities on one system 
can be used to access services on another. Considerable research has been conducted on 
privacy preserving identity management, which highlights the sensitivity of identity to 
interference by identity authorities and data controllers. Other research has recognised 
that traditional identity management systems have tended to give rise to unequal power 
relations that place the SP/IdP at an advantage to the user. These developments have 
laid the foundations for a fundamentally different kind of identity management, that is 
not backed and controlled by authorities but is backed by trust and controlled by the 
user. 

In contexts where reliance on identity authorities is unnecessary or undesirable, we 
propose the move from authority-centric centralised identity provisioning (Miyata et al, 
2006) to user-centric (Maler and Reed, 2008) distributed identity provisioning (McLaugh- 
lin et al, 2009), in which identity is provided based on trust, ultimately derived through 
social networks. 

2 Literature and technology review 

2.1 Key concepts 

Digital identity (Glasser and Vajihollahi, 2008; Cameron, 2006; J0sang and Pope, 
2005b; Pfitzmann and Hansen, 2005) is concerned with how people are identified on 
computer systems and the internet 3 . Partial identities are 'that which represents a person 
in a particular context in the online world' (Hansen et al, 2004; Glasser and Vajihollahi, 

3 Identity management, comprising the protocols and use of credentials to establish identity, is a major 
area in its own right and we do not discuss it directly here. 
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2008), which is the type of identity we will use to represent users in practice. Identity 
is traditionally responsible for determining access rights to sensitive resources for users. 
With the advent of Web 2.0, web services have appeared that foster the development of rich 
online identities comprising personal attributes, preferences and behaviour, in addition to 
access related metadata. For example, social networking sites such as Facebook encourage 
users to create detailed user profiles and to replicate, and build on, real world social 
networks on its site. This represents a shift from a purely technical and security oriented 
concept of identity to one that is socio-technical and enabling of social services. 

Federated identity is concerned with federating previously separate identity domains, 
across large organisations and the enterprise, such that users in one domain can consume 
services in another. "Federated identity infrastructure enables cross-boundary single sign- 
on (SSO), dynamic user provisioning and identity attribute sharing. By providing for 
identity portability, identity federation affords end-users with increased simplicity and 
control over the movement of personal identity information while simultaneously enabling 
companies to extend their security perimeter to trusted partners." (SourcelD, 2009). 

User-centric identity is a philosophy, and set of supporting standards and technologies, 
for empowering the user by giving them control over their identities (Maler and Reed, 
2008). The major philosophical innovation is in forming a distinction between SP and 
IdP in online applications, where the two have always been seamlessly integrated, and 
providing technologies for allowing those SPs (e.g. Facebook, Twitter) to use an IdP 
of the user's choice (rather than its own) to authenticate the user for the service. This 
move has given users the opportunity to manage consent for personal data disclosure, 
manage their own credentials, and perform authentication, or SSO (where the IdP will 
authenticate the user to a range of services), independently of SPs 4 (e.g. OpenID 5 ). 

Trust has long been a topic of study in psychology, sociology, philosophy and eco- 
nomics; but in the nineties it has also found application in e-commerce, particularly 
in online markets such as eBay (Sabater and Sierra, 2005). Trust can be described as 
"a directional relationship between two parties that can be called trustor and trustee" 
(J0sang, 2007) where a trustor is said to trust, or not to trust, a trustee, in a particular 
context. Trust can be used as a form of 'soft security' (J0sang, 2007) or, by reflecting 
the real world social relations, as an enabler of "trade, competition, collaboration and 
so on" (Sabater and Sierra, 2005). There are numerous models for computing trust and 
reputation 6 (Sabater and Sierra, 2005; J0sang, 2007) on various systems and networks, 
including decentralised P2P networks (Marti and Garcia- Molina, 2006). 

Trust transitivity describes how trust propagates on social networks, and is predicated 
on the principle that if A trusts B and B trusts C, A indirectly trusts C under certain 
conditions (Huang and Fox, 2006). Trust transitivity can be useful where one party may 
not have a direct trust relationship with another party. For example, even though A 
may not know a 'good' mechanic, A may accept a recommendation, or referral, from B 
recommending a good mechanic C. 'Referral' trust, as a special case of trust in 'belief 
(Huang and Fox, 2006), is transitive (J0sang, 2007), meaning that the beliefs of parties 
are trusted, and can be passed on to others in a chain of trust. These trusted beliefs feed 
into decision making in the real world, and recently in the online world as well. 

Trust networks can be built from transitive trust chains (J0sang et al, 2006). Directed 

4 Though only if SPs support a user-centric sign-on protocol. 
5 http: / /openid.nct / 

6 "The overall quality or character [of some trustee] as seen or judged by people in general." ( J0sang, 
2007) 
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'arcs' in the network, representing trust relationships between the trustor 'node' and the 
trustee node, can be 'coloured' to indicate the trust context. Contextual trust chains 
can be traced by following same coloured arcs of 'belief trust from a 'source' node, the 
trustor, to a 'sink' node, the trustee 7 . 

Digital Ecosystems can be described as "distributed adaptive open socio-technical 
system, with properties of self-organisation, scalability and sustainability, inspired by 
natural ecosystems" (Briscoe and De Wilde, 2006). The term has been used in other 
contexts (Briscoe, 2009), however, we refer here to the body of research initiated under 
the heading of Digital Business Ecosystems (DBE), that is intended to promote the per- 
vasiveness of Information and Communications Technology (ICT) in Small and Medium 
sized Enterprises (SMEs) and move organisations towards a "more, fluid amorphous and, 
often, transitory structures based on alliances, partnerships and collaboration" using bi- 
ologically inspired metaphors (Nachira, 2002). This contrasts with the 'keystone' model, 
where smaller supplier firms cluster around one large firm, which is a successful business 
structure only when the major actor is economically 'healthy'. DEs support DBEs as a 
particular case, i.e. business (Briscoe and De Wilde, 2006). The OPAALS 8 approach to 
creating a DE infrastructure is to build a decentralised service platform from P2P and 
other distributed technologies, informed by social theory and biological metaphors (Dini 
et al, 2008). Several strands of research from DEs are relevant to our efforts, including 
the theory of power structures in identity systems, privacy preserving identity manage- 
ment and user-centric identity emphasise the imbalance of power between large SPs with 
in- house IdPs, such as Google on the web, and the government and enterprises on other 
networks; and the users that consume their services. 

2.2 Decentralised identity 

The following principles of DEs influence our approach to decentralised identity provision- 
ing, namely, "no single point of failure or control," "should not be dependent upon any 
single instance or actor," "equal opportunity of access for all," "scalability and robust- 
ness," "ability to evolve, differentiate, and self-organise constantly," and "local autonomy" 
(Nachira et al, 2007b). 

The 'carrot', for users, of a more equal and more sustainable ecosystem of services 
is re-enforced by the 'stick' of an emerging surveillance society (Pounder, 2008), where 
undesirable power relations are developing between controllers of personal information 
and users, that make users suspicious of authorities. The associated risks to the user 
include erosion of privacy, the influence and manipulation of persons or populations, 
and user-profiling activities (Halperin and Backhouse, 2008). A sociological survey and 
analysis of privacy issues and 'power' relations between user and SP/IdP in collaborative 
workspaces and social networks is given by Pekarek and Potzsch (2009), who conclude 
that "social norms are currently the only forces effectively delimiting the unabridged use of 
personal information," and cites the use of open source P2P networks as an improvement 
over centralised servers for data privacy. Furthermore, Krasnova et al (2008) shows that 
concerns about privacy on social networks can threaten their long term viability. Even 
from a sheer practical point of view, the risk of data breaches, through theft, accidental 
exposure, viruses and hacking, or insufficient access control and security put user data at 

7 The final arc in the chain must actually be a 'performance' (Huang and Fox, 2006) or 'functional' 
(J0sang, 2007) trust arc. 

8 Open Philosophies for Associative Autopoietic Digital Ecosystems (Rathbone, 2008) 
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risk when data controllers hold large amounts of data (Baker et al, 2009) 9 . 

Privacy enhancing identity management comprises an important stream of European 
research, starting with PRIME 10 , whose guiding principle was to "put individuals in 
control of their personal data" (Leenes et al, 2008), and is concerned with issues such as 
minimising data disclosure and negotiating privacy policies with SPs. Similar concerns 
are expressed by Cameron's 'Laws of Identity' (Cameron, 2006). This research echoes 
and reinforces from a theoretical perspective what user-centric identity specifications and 
technologies are accomplishing at a practical level. 

2.3 Technology 

The two main federation specifications are SAML v2.0 n and WS-Federation 12 , both of 
which are OASIS 13 standards. SAML v2.0 is the older specification and enjoys the most 
widespread adoption. Shibboleth 14 has become the defacto SAML compliant, federated 
identity solution and is open source. 

A model for identity in DEs was outlined by McLaughlin et al (2009), that is capable 
of building arbitrary identity operations, which are protocols that conduct identity tasks 
such as sign-on. The model is backed by trust rather than by a central authority, is 
agnostic of particular platform implementations, and can operate in purely decentralised 
environments such as P2P. Identity Flow 1 '-* is an open source implementation of this iden- 
tity model. 

3 Trust requirements for identity 

Identity is always accepted by third parties on the basis of trust, however until recently 
(Kylau et al, 2009; J0sang et al, 2005) the trust requirements of identity have not been 
analysed explicitly. It was sufficient for an SP, combined with an authoritative identity 
provider, to control the identity of users and to compel them to authenticate each time it 
consumed the service. The user was expected to either blindly trust the SP/IdP or not 
to participate in the service 16 . In effect, the SP reduced its risk to almost zero, while the 
user's risk was hardly considered. With the advent of federated and user-centric identity, 
and the possibilities of decentralised identity, a more formal analysis is required. By 
understanding how trust is required in these scenarios, we can give requirements for trust 
in decentralised identity. 

Identity is asserted either by the subject, i.e. the user, or by some representative of 
the subject, such as the user's IdP; this identity assertion, or claim, is then verified by a 
relying party, i.e. an SP, or by a third party on the relying party's behalf, such as the 
relying party's IdP. These two statements on identity assertion and verification will hold 
true in every scenario. What will vary is the exact configuration of actors participating in 

9 "...organizations that process or store large quantities of data valued by the criminal community; 
they are the quintessential Targets of Choice." 
10 https: / / www.prime-project.eu/ 

11 http://docs. oasis-open. org/security/saml/v2.0/saml-core-2.0-os.pdf 
12 http://www. ibm.com/developerworks/library/specification/ws-fed/ 
13 http: / /www. oasis-open, org/ 
14 http: / /shibboleth. internet2 .edu / 
15 http://sourceforge.net/projects/idcntityflow/ 

16 Although, it is true that the use of public key infrastructure (PKI) certificates can give users some 
assurances by linking the SP to a real world entity. 
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Figure 1: High level view of common federation and user-centric SSO protocols (e.g. 
SAML and OpenID). 



an identity task. We define an identity task as the task of generating an identity assertion 
and making it acceptable to a relying party. 

Examples of Web 2.0 SPs are Facebook and Google; both of these also act as IdPs 
for their domains, and potentially as IdPs for other domains, using OpenID. An example 
of an SP on an academic federation network, the UK Access Management Federation 17 , 
is the online publications database, ScienceDirect 18 ; while the universities themselves are 
IdPs for their domains, and sometimes also SPs. In the first case, the 'users' are internet 
users, in the second they are staff and students. In a digital ecosystem environment it 
is envisioned that all entities will have the ability to offer and consume services and act 
as IdPs for other entities, in social network of equals. Identity tasks in these various 
environments establish identity, assert attributes and handle authorisation. 

We begin our analysis by looking at trust requirements in federated and user-centric 
SSO. SSO is the most important identity task, and the killer application of these two 
identity technologies. In particular, we consider the SAML v2.0 SSO profile and the 
OpenID v2.0 protocol. These two protocols, though differing in complexity (SAML is 
the more complex and extensible specification) and in terms of their transport layers 
(SAML uses various bindings, OpenID uses a HTTP GET Binding-like transport), they 
are sufficiently similar that we can examine them together 19 . We use 'User', 'Identity 
Provider' and 'Service Provider'; where SAML uses 'User-Agent', 'Identity Provider' and 
'Service Provider'; and where OpenID uses 'User-Agent', 'OpenID Provider' and 'Relying 
Party', respectively. The basic protocol flow is given in Fig. 1. 

The trust requirements of identity management for protecting user privacy, when 
dealing with various IdPs and SPs in various identity scenarios are given in J0sang et al 
(2005), whilst the trust requirements of IdP and SP in a range of similar scenarios are 
given in Kylau et al (2009). Summarising and extrapolating from these sources, we look 
at the trust requirements of all parties involved in identity tasks, such as SSO. Fig. 
2 illustrates the trust relationships between the three parties in the SSO identity task, 
which are explained below. These trust relationships are necessary for actors to interact 

17 http://www. ukfcderation.org.uk/ 
18 http : / /www . sciencedirect . com / 

19 The transport protocol will not affect our analysis of the role of trust in identity tasks. 
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Figure 2: Trust relationships in SSO protocols. 



with each other, because each of them are associated with a risk or set of risks. In each 
case, the context of the trust is given and the grounds for the trust. Where grounds are 
different in user-centric (UC) or federated (FD) identity, these are noted. 

A: User trusts IdP to protect his privacy, to be secure and to manage his identity 
information appropriately*. (Context: identity provision. Grounds: agreement 
(FD) or user chooses IdP based on experience or reputation (UC).) 

B: IdP trusts that user is who he claims to be, and that the user will manage granted 
credentials with care. (Context: identity self-assertion and responsibility. Grounds: 
authentication and agreement (FD) or positive risk assessment 20 (UC).) 

C: SP trusts IdP to assert valid and truthful identity claims and to behave appropriately 
with data shared. (Context: make good assertions. Grounds: agreement and trust 
in methods 21 .) 

D: IdP trusts SP to adhere to privacy policies regarding the disclosure of user data. 
(Context: trust to maintain privacy. Grounds: agreement and trust in methods.) 

E: User trusts SP not to correlate personal data about him from other IdPs 22 *. (Con- 
text: trust to maintain privacy. Grounds: derived from agreement in Df (FD), trust 
in terms of service (UC).) 

F: SP trusts user to abide by terms of service. (Context: trust in good intentions. 
Grounds: from agreement in Cf(FD) or positive risk assessment (UC).) 

*Additionally, users trust both IdP and SP to pass assertions only when requested by 
the user and that the mapping between user identities/data on both ends is correct, fin 
the federated scenario, trust relationships E and F are essentially derived from D and C, 
respectively, since federated agreements between IdP and SP and binding for all users in 
the HP's identity domain. 

These trust relationships may not be absolute, but they must be 'sufficient', both 
individually and collectively, in order for the identity task to be possible. In general, 

20 In other words, the trustor (IdP) believes that the benefits of participation outweigh the risks, given 
that there are no strong assurances (as in the federated scenario). 

21 In other words, trust that secure technical measures and internal processes are in place. 

22 Resulting in two separate user identities becoming linked and the corresponding breach in privacy. 
(See unlinkability (Pfitzmann and Hansen, 2005).) 
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Figure 3: Trust relationships in identity tasks in the general case. 



trust in federated scenarios is based on formal agreements between the controllers of the 
identity domains that are being federated; trust is derived from the alliance. User-centric 
scenarios tend to rely on the less solid guarantees of reputation, in the case of users 
choosing an IdP, positive risk assessments in the case of IdPs and SPs trusting users, 
where risks of bad behaviour of unfaithful, anonymous users are in general outweighed 
by the benefits of a 'leap of faith'. Larger risks require stronger trust relationships, and 
therefore stronger grounds for trust. 

In DE's, and potentially on the Internet, entities can be different actors at different 
times. An entity can be a user, or subject, when establishing its identity, but may be 
an IdP or SP in other situations. It is reasonable, therefore, that all entities can either 
self assert their identities or have an IdP which can assert identities on their behalf. 
Conversely, it is reasonable that all entities can either consume identity assertions or 
have an IdP that can consume identity assertions on their behalf. In keeping with the 
philosophy of separating the roles of SP and IdP, we will advance the standard trust model 
of a federated/user-centric identity task as shown, by separating the SP into SP and SP's 
IdP, where the SP's IdP is capable of consuming assertions intended for the SP. For the 
remaining discussion we assume that IdPs are capable of both generating and consuming 
assertions on behalf of other entities. 

Fig. 3 illustrates the trust relationships of the general stated. The new 

trust relationships, G and H, are internal and absolute in the traditional federated/user- 
centric case, however, they may be between two different entities. If so, the analysis of 
these relationships will be similar to A and B. In the case where identity claims are self- 
asserted or self-verified, we assume that relationships A and B, or G and H, respectively, 
are internal and absolute. We will use this model for analysing the role of trust in 
decentralised identity in the proceeding discussion. 

Trust relationships C and D, between the IdP and SP, are the most important, since 
these trust relationships are core to the federated agreement, in the federated scenario, or 
the primary leap of faith, in the user-centric scenario. The trust relationships between user 
and IdP are likely to pre-date, and to be at a higher level, than these trust relationships. 
Others SPs can be made known to the IdP, and vice versa, admitting new identity tasks, 
if trust relationships C and D are added for the new pair. 
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4 Decentralised identity backed by trust 



It is clear that the interplay between the various actors involved in an identity task is 
becoming more varied and complex over time, to address new business and collaboration 
scenarios, as reflected in the variety of federation topologies. Identity Flow is a software 
project designed to simplify the creation of complex, arbitrary, SAML-based protocols, 
to conduct arbitrary identity tasks. Each protocol must satisfy the trust requirements 
outlined in the general case in section 3 for the specific case of the identity task. We term 
these protocols, including the bindings, the trust requirements of each actor and all logic 
for conducting the identity tasks, Identity Operations. In this section, we outline how 
trust determines the success of identity operations and how trust transitivity is used to 
create a network of trust supporting operations. 

4.1 Trust in identity operations 

An agreement is explicit in federated scenarios, however, in place of an explicit agreement 
we can employ a mechanism for measuring trust. This allows for the following possibilities, 
i) that learning from experience can provide a basis for trust without having to formulate 
a fixed agreement, ii) that 'trust ratings' of trust relationships might change based on 
dynamic factors and iii) that trust relationships might not exist directly between two 
actors, but might be derivable from a trust network based on referrals. 

The evolution of trust ratings for relationships C and D lead to dynamic federations. 
It is necessary that C and D be rated sufficiently highly for a given operation to succeed. 
Sensitive operations, such as inter-organisation SSO, will require high levels of trust, and 
perhaps an explicit agreement; less sensitive user-centric SSO on online social networks, 
will not require such a high level of trust. 

The possibility of dynamic federations based of trust is also suggested by Cabarcos 
et al (2009), who suggests extending Liberty's "circle of trust" model by encoding trust 
data in SAML assertions and using a "trust engine" to update the list of trusted identity 
domains held by IdPs/SPs. This list determines which identity domains can federate. 
This approach is quite practical and has a low impact on existing standards, however 
its notion of 'trust' is not contextual, and therefore too coarse grained for the purposes 
of transitivity (see below). In our model, 'trust checks' are conducted during protocol 
execution to ensure that trust relationships are sufficient. Each entity has has access to a 
trust manager (see below). Calls to the trust manager during execution by trustee entity 
and context will yield a trust rating, which will either either exceed a trust threshold set 
for the trust relationship in the operation specification, or not. 

In order to analyse the protocol flow to identify points at which trust checks should 
be performed, we examine a generalised configuration of actors in an operation. The 
actors given in Fig. 3 in terms of their trust relationships is given again in Fig. 4 in 
terms of the sequence of connections between them in a generalised operation protocol 
flow. This protocol flow varies from the SSO given in Fig. 1 only in that we allow 
for a physical separation of SP and SP IdP (which interprets assertions for the SP), 
therefore connections 2 and 7 merely reflect the passing of the authentication request 
from the SP to its IdP and the passing of the authentication response back from its IdP. 
This configuration of actors is essentially generic, as in the trust analysis, except that 
authentication requests and responses between the user's IdP and the SP's IdP may be 
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Figure 4: Representative operation with trust checks during protocol execution. 



passed through any combination of intermediaries 23 . 

During the execution of the protocol flow there will be appropriate points at which 
to measure the level of trust relationships to ensure they are sufficient for the operation 
to succeed, since messages from untrusted parties are useless. We have already identified 
trust relationships C and D (Fig. 3) as crucial to federations and to the success of 
operations; now we examine the points at which their trust levels can be checked. There 
is no point in making connection 3 if the SP's IdP does have sufficient trust in the user's 
IdP in the context of 'making good assertions', and similarly, there is no point in the 
user's IdP prompting the user to authenticate if it does not trust the SP's IdP in the 
context of 'maintaing (user) privacy' respect the user's privacy. At these points, a failed 
authentication result should be passed back instead, and the operation should terminate. 
Trust checks can be used wherever it is felt that trust relationships are non-absolute and 
likely to evolve over time. We merely identified the most likely candidates as C and D. 
More complex protocol flows may perform additional or different trust checks between 
actors during protocol execution. 

4.2 Trust networks from trust transitivity 

We begin our discussion of trust networks and trust transitivity by formally describing 
the role of the trust manager, which is a component responsible for providing evaluations 
of trust relationships, or trust ratings. Trust ratings are conveyed in (trustee, context) 
pairs, where trustee is the trustee and context is the trust context. The trust manager 
records 'performance' trust ratings based on direct experience and is capable of gathering 
'referral' trust from third parties. Referrals are conveyed from an entity with performance 
trust in the trustee back to the trustor. Trust managers have the following functions, 

1. Maintain a set of trust ratings with entities with whom the trustor has direct expe- 
rience. 

2. Discover trust transitive paths between trustor and trustee in the given context. 

23 This should not present significant difficulties regarding security if messages are signed, encrypted 
and/or passed only to trusted parties, as appropriate. 
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3. Aggregate these paths using appropriate strategies and algorithms to produce a 
trust rating. 

4. Be capable of checking the integrity and authenticity of referrals from referees on 
the trust paths. 

5. Have some mechanism for updating trust ratings based on experience. 

2. is a challenge in decentralised environments, or otherwise, where a virtual trust 
network must be traversed in order to discover trust transitive paths. A number of options 
for discovering such paths in decentralised networks with various topologies are given in 
Mello et al (2007). A scheme for aggregating trust paths and using belief calculus to 
produce a compound rating is given in J0sang et al (2006). J0sang and Pope (2005a) gives 
the rationale and methodology for verifying the integrity and authenticity of referrals. 

Entities can update their trust ratings, and strategies for deriving trust ratings based 
on experiences from interacting with other entities. Where a referring entity is responsible 
for providing a trust rating, and where that trustee is found later to be undeserving of 
that rating, a suitable strategy may be deployed to reduce that referring entity's trust 
rating in referrals. 'Experience reports' can be automatically or manually generated and 
submitted to the trust manager to derive an updated trust rating, according to some 
subjective scheme. The processes and algorithms for trust evaluation are described in 
McGibney and Botvich (2007). The open source project Trustflow 24 is actively developing 
an implementation of a trust manager for use in P2P environments. 

In this way, the trust manager constructs internal snapshots of portions of the trust 
network, allowing entities access to the trust ratings required to ensure that trust require- 

24 TrustFlow, http://sourceforge.net/projects/trustflow/ 
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Figure 6: Transitive, contextual trust graphs originating from IdPs A and C, respectively. 

ments in operations are satisfied. This trust network is constantly changing according to 
dynamic factors and subjective decisions. 

By way of illustration, let us consider a portion of a decentralised network of IdPs, 
A-H, capable of acting as IdPs in a particular scenario. Performance trust relationships 
are represented by solid lines, whilst referral trust relationships are represented by dashed 
lines. We consider trust relationship C from Fig. 3 (although our analysis will apply 
equally to other relationships). C is the trust that the SP's IdP has in the user's IdP 
in the context of making good assertions. We are concerned, therefore, with the direct 
performance trust that the SP's IdP has in the user's IdP and, using trust transitivity, 
the chains of indirect referral trust from IdP to IdP, ending with a performance trust 
arc terminating at the user's IdP. We can infer a trust network from these relationships, 
illustrated in Fig. 5. 

Fig. 6 illustrates two portions of the trust network giving all possible trustees for 
trustors A and C respectively, by tracing valid trust transitive paths outwards from IdPs 
A and C. The lightly shaded boxes represent the trustees, while the transparent boxes 
are intermediate referees. 

5 Impact of decentralised identity on the Informa- 
tion Society 

Fundamentally, we are considering the move from authority-centric centralised identity 
provisioning (Miyata et al, 2006) to user-centric (Maler and Reed, 2008) distributed iden- 
tity provisioning (McLaughlin et al, 2009), in which identity provision will be provided 
based on trust derived through social networks. 

5.1 In the short to mid term 

The increasing availability of distributed identity provisioning will over time drastically 
change the landscape of identity provisioning in the Information Society, supporting the 
ever-increasing trend (Pato and Center, 2003) towards individuals and organisation using 
multiple identity provision schemes, including established centralised authorities, newer 
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Figure 7: Identity Provisioning Landscape (modified from (World Economic Forum, 
2007)): The first figure provides a rendition of centralised identity provisioning as it has 
existed previously, which will continue being the dominant scheme in the immediate and 
short term (Miyata et al, 2006). The second figure provides a rendition of decentralised 
identity provisioning (SourcelD, 2009), which is an increasingly available and popular 
alternative in the short to mid term. Finally, the third figure provides a rendition of dis- 
tributed identity provisioning (McLaughlin et al, 2009), which will become increasingly 
available in the long term. 

independent decentralised authorities, and future distributed trust-based self-provisioning 
of identity through social networks. The Web 2.0 phenomenon (O'Reilly, 2007) has shown 
the potential and possibility for identity provisioning through trust in social networks 
(Andersen, 2007), i.e. trust networks. So, the future of the Information Society will 
involve extending Web 2.0 social networking to trust-based (J0sang et al, 2006) distributed 
identity provisioning. 

The availability of distributed identity provisioning will flatten the landscape of iden- 
tity provisioning, which was previously dominated and defined by centralised identity 
provisioning. So, past social and power structures (Pekarek and Potzsch, 2009) of the 
landscape will wain as individuals and organisations have an increasing choice of identity 
provisioning schemes (Johnson et al, 2004; Miyata et al, 2006). This will allow a range of 
social and power structures for identity provisioning, appropriate for individuals, commu- 
nities, and organisations. Ultimately, the balance of landscape will shift, re-defined by the 
choice of individuals and organisations, from centralised identity provisioning to increas- 
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ingly available decentralised identity provisioning (e.g. eduroam 25 .), and also distributed 
identity provisioning as it becomes available, as shown in Fig. 7. 

5.2 In the long term 

In this brave new world each user would inherently possess a unique social identity (Ash- 
forth and Mael, 1989; Tajfel, 1974) (distributed and relative in the context of social 
networks), which combined with distributed identity provisioning would lead to an inver- 
sion of the currently predominant membership model. So, instead of users registering for 
each website (or service) anew, they could simply add the website to their identity and 
grant access. Allowing users to have multiple services connected to their identity, instead 
of creating new identities for each service. This relationship is reminiscent of recent ap- 
plication platforms, such as Facebook's f8 26 and Apple's App Store 27 , but distributed in 
nature and so free from the control of centralised resource provisioning. Also, allowing for 
the reuse of the connections between users, akin to Google's Friend Connect 28 , instead 
of reestablishing them for each new application. 

So, identity in the Information Society will arise naturally from the structure of the 
network, based on the relation of nodes to each other via social networks, or more gen- 
erally networks of interaction (Stevenson, 1990), and therefore with the ability to scale 
and expand without centralised control, as shown in Fig. 7. Such distributed identity 
provisioning schemes will make use of the property that each node possesses a unique 
position in the network, i.e. sets of connections to other nodes in different networks. 
As such distributed identity provisioning will increasingly rely upon on challenge and 
response style authentication mechanisms (Mitchell, 1989). A simple example would be 
additional authorisation requests (security checks) when connecting from relatively remote 
nodes (locations), i.e. from a different country, which shows that once node connectivity 
significantly changes the inherent identification it provides must be re-established. How- 
ever, this will not preclude identity partitioning (audience segregation (Goffman, 1959)) 
or multiple identities (e.g. work and personal), including specific identities for special- 
ist communities, allowing for different kinds of social relationships to be established and 
maintained (Rachels, 1975). 

5.2.1 Digital Business Ecosystems 

We can further consider Digital Business Ecosystems (DBEs) (Nachira et al, 2007a) as 
a more concrete example of the potential impact of distributed identity provisioning on 
the Information Society. DBEs are distributed adaptive open socio-economic technical 
systems, with properties of self-organisation, scalability and sustainability, inspired by 
natural ecosystems. So, distributed identity provisioning would be a fundamental first 
step in creating dynamic virtual organisations (VOs) (Desanctis and Monge, 1999) of 
SMEs aiming to compete with established large keystone firms (Iansiti and Levien, 2004). 
Such VOs can makes use of distributed identity provisioning, in which all the members 

25 Participating institutions, typically universities and other research and educational organisations, 
allows a user belonging to one institution to get network access when visiting another institution. The 
visiting user is authenticated in a decentralised manner by their home institution, and so using their 
existing identity (Florio and Wierenga, 2005) 

26 http: / /www. facebook.com/f8 

27 http://www. apple.com/iphone/apps-for-iphone/ 

28 http : / / www . google, com / friendconnect / 



14 




Figure 8: Digital Business Ecosystem (Nachira et al, 2007a): Conceptual visualisa- 
tion (English and Dory, 2007) showing a DBE of interacting Small and Medium sized 
Enterprise users, via the services they provide and consume. Creating networks of busi- 
ness ecosystems distributed over different geographical regions, business domains, and 
industry sectors. 

share identity provisioning tasks and activities, but may equally choose to adopt inter- 
nal or external (non-competing) centralised identity provisioning (benevolent dictatorship 
approach (Johnson et al, 2004)). However, proportional representation schemes (John- 
son et al, 2004) would be possible, in which some SMEs of a VO retain full control over 
their identity provisioning activities. Therefore, fundamentally, our research goes beyond 
just distributed identity provisioning, affording users choice over the social and power 
structures of their identity provisioning, rather than having centralised identity provision 
thrust upon them. 

6 Conclusions and future work 

We have seen how a network of trust can be used to give trust ratings between a trustor 
and a trustee in identity contexts, such as 'making good assertions' or 'recommending 
good IdP', how a trust manager can maintain and gather trust ratings, and how trust 
transitivity allows us to trace and aggregate trust paths in the trust network. We have 
also seen that operations, such as SSO, rely on a set of implicit trust relationships, some 
of which form the foundation of federations, dynamic or otherwise. By extension it is 
clear that federations can be formed between the identity domains of any two IdPs, 
given sufficient trust. Furthermore, we have discussed how this decentralised identity 
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can arise, both in general terms, based on existing trends of ever-increasing diversity in 
the provisioning of identity, and specific examples such as business ecosystems of SME 
networks. 

Future work includes the integration of the open source IdentityFlow and TrustFlow 
projects to enable third parties to realise trustworthy, decentralised identity management. 
There is also considerable scope for future work in dynamic identity provisioning in unsta- 
ble coalitions. Furthermore, the development of the trust manager to draw trust inferences 
across context boundaries and to infer trust from social networks presents a number of 
interesting possibilities. 
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